Thread: [sleuthkit-users] Restore a damaged partition
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Eric Y. <er...@mi...> - 2004-04-03 22:14:22
|
I run a Feebsd machine. Something happened and the kernel failed to = load. I tried restoring but to no avail. I re-installed freebsd and all = data from my partitions seemed to have disappeared. Specifically I have = one data partition that was not altered at any point, nor during = re-install(/web) which I would love to restore...=20 I installed the Sleuth Kit and Autopsy and was able to view only raw = data from the Data Unit option. From the little random data I checked = using the keyword search option, it appears that all data is physically = in tact however I can't access the directory and file structures in = order to restore the data.=20 Is there a way to do this? Thanks, Eric |
|
From: Eagle I. S. I. <in...@ea...> - 2004-04-04 03:35:10
|
I'm not sure of a way to do it with Autopsy, but you can view view and export the entire file structure hierarchy and files with ASR Data's SMART. It's not an inexpensive solution, however if the data is valauble to you, it may be worth the expense. Niall. _____ From: sle...@li... [mailto:sle...@li...] On Behalf Of Eric Yellin Sent: Sunday, April 04, 2004 3:15 AM To: sle...@li... Subject: [sleuthkit-users] Restore a damaged partition I run a Feebsd machine. Something happened and the kernel failed to load. I tried restoring but to no avail. I re-installed freebsd and all data from my partitions seemed to have disappeared. Specifically I have one data partition that was not altered at any point, nor during re-install(/web) which I would love to restore... I installed the Sleuth Kit and Autopsy and was able to view only raw data from the Data Unit option. From the little random data I checked using the keyword search option, it appears that all data is physically in tact however I can't access the directory and file structures in order to restore the data. Is there a way to do this? Thanks, Eric |
|
From: Brian C. <ca...@sl...> - 2004-04-04 15:56:51
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 4, 2004, at 3:15 AM, Eric Yellin wrote: > I run a Feebsd machine. Something happened and the kernel failed to=20 > load. I tried restoring but to no avail. I re-installed freebsd and=20 > all data from my partitions seemed to have disappeared. > Specifically I have one data partition that was not altered at any=20 > point, nor during re-install(/web) which=A0I would love to restore... What happens when you try to mount it under FreeBSD or Linux? > I installed the Sleuth Kit and Autopsy and was able to view only raw=20= > data from the Data Unit option. With Autopsy and TSK you will have to identify where the BSD partitions=20= are inside of the BSD DOS partition (slice). If the disk label=20 structure inside of the FreeBSD DOS partition was wiped during the=20 installation then you will have to figure out where the partition=20 actually begins. The 'gpart' tool may help with this. It would help if you give command examples of what you have done=20 because it gets confusing with the BSD system and the sub-partitions=20 they have inside of the DOS partition. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAcDA/OK1gLsdFTIsRAuRJAJ4+I5Vk2u9nCf2MwIZ6PCjCoUdluwCfZ5/j FEfaIW0VfhJ/yoKlWUyF6/o=3D =3DS3Pr -----END PGP SIGNATURE----- |
|
From: Eric Y. <er...@mi...> - 2004-04-04 18:31:21
|
Thanks Brian, >> I run a Feebsd machine. Something happened and the kernel failed to >> load. I tried restoring but to no avail. I re-installed freebsd and >> all data from my partitions seemed to have disappeared. >> Specifically I have one data partition that was not altered at any >> point, nor during re-install(/web) which I would love to restore... > What happens when you try to mount it under FreeBSD or Linux? Well I think that's what I did when I re-installed FreeBSD. The DOS and FreeBSD partitions did not seem to chgange at all, however after the install all data was accessible. "/web" was monted on the exact same partition as it was originally. The partitions did not change. >> I installed the Sleuth Kit and Autopsy and was able to view only raw >> data from the Data Unit option. > With Autopsy and TSK you will have to identify where the BSD partitions > are inside of the BSD DOS partition (slice). If the disk label > structure inside of the FreeBSD DOS partition was wiped during the > installation then you will have to figure out where the partition > actually begins. The 'gpart' tool may help with this. I have a feeling that the problem is not finding the partition, though I my be wrong. I can see the partition. It seems to be in place and of the correct size. Eric |
|
From: Brian C. <ca...@sl...> - 2004-04-04 18:37:02
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I have a feeling that the problem is not finding the partition, though > I my > be wrong. I can see the partition. It seems to be in place and of the > correct size. What devices did you give to Autopsy to examine during the 'Import Image' process? brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAcFXSOK1gLsdFTIsRAu/4AJ9iWd8SOlWo9hmGc/JCMrCax1dqugCfQsm5 nyxm6zppf0rZPkUau3YB9T8= =0v+2 -----END PGP SIGNATURE----- |
|
From: Eric Y. <er...@mi...> - 2004-04-07 22:21:33
|
I just realized an important fact which I did not note. The OS is FBSD 5.2 using UFS2 and not UFS1. Does the Sluethkit recognize UFS2? It did not recognize the partition as being a freebsd partition... That is why I could only view the raw data. ----- Original Message ----- From: "Brian Carrier" <ca...@sl...> To: "Eric Yellin" <er...@mi...> Cc: <sle...@li...> Sent: Sunday, April 04, 2004 11:37 AM Subject: Re: [sleuthkit-users] Restore a damaged partition > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I have a feeling that the problem is not finding the partition, though > > I my > > be wrong. I can see the partition. It seems to be in place and of the > > correct size. > > What devices did you give to Autopsy to examine during the 'Import > Image' process? > > brian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (Darwin) > > iD8DBQFAcFXSOK1gLsdFTIsRAu/4AJ9iWd8SOlWo9hmGc/JCMrCax1dqugCfQsm5 > nyxm6zppf0rZPkUau3YB9T8= > =0v+2 > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Linux T. <lin...@ya...> - 2004-04-08 12:13:53
|
Hi Eric I doubt Sleuthkit does recognize UFS2. It is new, and only support in 2.6 exists. But isnt there a version of Sleuthkit for FreeBSD? If so, that should work for you. -lt --- Eric Yellin <er...@mi...> wrote: > I just realized an important fact which I did not > note. The OS is FBSD 5.2 > using UFS2 and not UFS1. Does the Sluethkit > recognize UFS2? It did not > recognize the partition as being a freebsd > partition... That is why I could > only view the raw data. > __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/ |
|
From: Brian C. <ca...@sl...> - 2004-04-09 02:10:02
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 8, 2004, at 8:13 AM, Linux Tard wrote: > Hi Eric > I doubt Sleuthkit does recognize UFS2. It is new, and > only support in 2.6 exists. Nope not yet. TCT supports it though, but only block and inode level access. > But isnt there a version > of Sleuthkit for FreeBSD? If so, that should work for > you. Sleuthkit runs on FreeBSD, but it won't help you. Sleuth Kit doesn't use any native file system support. It just needs to read raw sectors from an image or raw device and it processes itself. So, even if your system supports the file system, that doesn't mean that TSK will (and vice versa). brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAdgXcOK1gLsdFTIsRAjkiAJ0Tcy2SOzHNwI7OGZkZjZ+g+thtsACeOsd1 fJyVH4s9iZBFk9jeuJSs04Y= =cq2T -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X